We have the application hosted locally not on EC2. Is it possible to access the AWS S3 using the IAM Role instead of profile or credentials from java?
The security team has raised concern about storing the credentials locally as it is vulnerable.
As far as I have googled, I have found options to access using Credentials stored in Environment or in .aws as a profile. If we need ROLE based authentication, then the application is supposed to be deployed in EC2. But we have the server hosted locally.
Please provide if you have any suggestions.
I'm not sure I understand what you want to do, but why not assign a dedicated user to that role?
Another thing you might find useful, is using temporary credentials. In general, Amazon have two services for this - Cognito and STS (as far as I understand, Cognito is using STS behind the scenes). They have different limitations, but in general, they allow you to receive credentials for limited time. This way, you will get an access id, a secret (and also a session id), but they will be temporary.
We have the application hosted locally not on EC2. Is it possible to access the AWS S3 using the IAM Role instead of profile or credentials from java?
Service-roles are bound to AWS services, so - long story short - for your on-premise server you need to use AWS API keys.
The security team has raised concern about storing the credentials locally as it is vulnerable.
Unfortunatelly - at the end you need to store the credentials somewhere. Even using services such as Cognito or STS you will need to store the credentials for the service somewhere (effectively - for any external or cloud service regardless what cloud or service you may use).
IMHO the best you can do is using dedicated AWS credentials (API keys) with only permission what are really needed.
Related
I am trying to figure out what is the best practice to integrate AWS S3 in my android app.
As a pre-work I have an s3 bucket which I can upload\download\delete using the python/java SDK and now I want to implement it in my android app.
I found on the web different approaches and can not get my head straight what is the recently\correct way doing it.
My research brought the following result:
mobile hub - https://grokonez.com/android/uploaddownload-files-images-amazon-s3-android
or in the amazon offical - https://docs.aws.amazon.com/aws-mobile/latest/developerguide/mobile-hub-add-aws-mobile-user-data-storage.html
user pool\cognito -https://101apps.co.za/index.php/item/195-android-and-amazon-s3-secure-file-storage-in-the-cloud
github project - https://github.com/nimran/Amazon-S3-Integration-in-Android - when i clone and try to activate it most of the aws calls are deprect.
another amazon official, this time using Android SDK - https://aws-amplify.github.io/docs/android/storage
I am looking for a guide\repo which is up to date and explain the correct way to integrate S3 in an android app.
thx
#helpper The best way is to follow the official documentation which contains nice sample code to start, always updatated and easy to follow instead of any other sites.
For now you can follow the Android Sdk docs or the Amplify framework but the amplify framework is currently is in Preview stage which will be ready in few days.
I would recommend using Cognito Identity Pools here to generate temporary AWS Credentials (which are obtained via AWS STS). Those credentials can be further used to invoke relevant AWS S3 API calls, and thus satisfy your application development requirements.
Cognito Identity Pools support both Unauthenticated Access and Authenticated Access, so with relevant roles, you would need to select appropriate IAM JSONs for both cases, to ensure your software remains robust and secure.
Since you are developing your application on Android(with Java), I would highly recommend this official AWS documentation as your starting point.
Check the sample app: aws labs.
Build the app and customize it accordingly. Just change the settings in "aws configuration file".
Prerequisite:
Android Studio
S3 bucket
aws cognito (identity pool)
aws IAM role (identity pool role, having access to S3 bucket)
Hope this helps!
when deploying java app on EC2 i can just use
new ProfileCredentialsProvider()
to inject some instance credentials. but which IAM user will it be? how can i manage permissions of that user? for example to limit his rights to some specific S3 bucket
Mark B is 100% correct about EC2 Instance Profiles. Quick aside -- the Java ProfileCredentialsProvider refers to the credentials profile available to AWS SDKs and the AWS CLI rather than the EC2 instance profiles. From its documentation:
Credentials provider based on AWS configuration profiles. This
provider vends AWSCredentials from the profile configuration file for
the default profile, or for a specific, named profile.
AWS credential
profiles allow you to share multiple sets of AWS security credentials
between different tools like the AWS SDK for Java and the AWS CLI.
This isn't desirable for deployment to EC2 because it means you have to store your configuration profile on the EC2 instance. Per Mark B's answer, EC2 instance profiles are preferable for passing credentials to applications on EC2.
To be able to retrieve either without further code changes, simply use the DefaultAWSCredentialsProviderChain (note: renamed DefaultCredentialsProvider in AWS SDK for Java v2), which will fall through several credentials schemes until it finds a valid one on your system. Per the documentation, it looks for credentials in this order:
Java System Properties - aws.accessKeyId and aws.secretKey
Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set
and security manager has permission to access the variable.
Instance profile credentials delivered through the Amazon EC2 metadata service
This will allow you to look for credential profiles in your local development environment, and EC2 Instance Profiles in your production EC2 environment.
Further Reading
AWS Documentation - Using Instance Profiles
AWS Documentation - Working with AWS Credentials - Note this documentation is for the AWS SDK for Java 2.0 preview
It isn't an IAM user, it is an EC2 Instance Profile. First you have to create the Instance Profile in your account, just like you have to create IAM users. You would manage the rights of the EC2 instance profile exactly how you would manage the rights of an IAM user, by assigning the appropriate IAM security Policies to the Instance Profile.
I am designing an application that will require users to first login and then access several secure web pages. I plan on using AWS along with the AWS Load Balancer and expect several AWS instances of this application to be running. What is the "best practice" for persisting security credentials across several web pages and several instances? The user will login and then navigate through several secure web pages. I presume the AWS Load Balancer will be round-robin redirecting each https request to a different server instance. How does each instance know that the user has successfully logged in? Also, how do I keep the secure pages secure from external access? The platform will be Linux, Java, and Spring-boot.
I presume the AWS Load Balancer will be round-robin redirecting each
https request to a different server instance.
That's the default ELB behavior, but you can enable sticky sessions on the Elastic Load Balancer to lock a user to a specific back-end server, at which point the HTTP session stored on that one server keeps track of the user's authentication state.
How does each instance know that the user has successfully logged in?
They don't, unless you configure a shared session store of some kind. I prefer using Redis (ElastiCache) as a shared session store. Of course if you enable sticky sessions at the ELB that might prevent the need for a shared session store.
Also, how do I keep the secure pages secure from external access? The
platform will be Linux, Java, and Spring-boot.
That's not really a feature of AWS. You would need to add security to your application. Look into Spring Security.
Our product is a hosted Web application which needs to be accessed by a client X using SSO.
The client credentials are maintained on a Azure Cloud platform, and users are authenticated when they login to their Windows PC.
What is the best way for us to integrate our application on the client's Windows environment, so that all users are authenticated without logging in to our application?
The client has pointed out that we could use ADAL but i'm not sure if that works as we do not have our own AD based or LDAP based user management platform. We currently store all the user management data in the DB.
I'm a newbie to this topic so any guidance is really appreciated.
Based on my understanding, the issue is that the authenticated user from a portal access a url link of Java Web Application working with SSO when the Java webapp and the portal are not identical.
Per my experience, I think you can try to use Azure AD Application Proxy to solve the issue. You can refer to the document https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical to know the application scenario of Application Proxy.
You can try to follow the steps below to implement the needs. And as references, there are some documents explained how to do for each step.
Enable the Azure AD Application Proxy on Azure Portal, and install & register the proxy connector for your application. Please refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/ for more details.
Publish your application using Application Proxy, please follow the wizard steps of the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-publish/.
Enable SSO for your application and the portal, please review the section Working with SSO when on-premises and cloud identities are not identical of https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical.
If some issue encounted in implementing the plan, you can firstly refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-troubleshoot/ to troubleshoot.
Any concern, please feel free to let me know.
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.